summaryrefslogtreecommitdiff
path: root/man/dnsmasq.8
diff options
context:
space:
mode:
authorSeonah Moon <seonah1.moon@samsung.com>2021-01-19 12:55:12 +0900
committerSeonah Moon <seonah1.moon@samsung.com>2021-01-19 13:17:01 +0900
commit09d50377ce7e37f2719227f03687b5286d9a82a5 (patch)
treed27fcdbca6b6d89591283b7ce901e87d6d62bb18 /man/dnsmasq.8
parentfa9b094891049a0cdb6c6379e8308cb3a07614ef (diff)
parent7511c9647d76e9e187e83847294b1a5c491ebc28 (diff)
downloaddnsmasq-09d50377ce7e37f2719227f03687b5286d9a82a5.tar.gz
dnsmasq-09d50377ce7e37f2719227f03687b5286d9a82a5.tar.bz2
dnsmasq-09d50377ce7e37f2719227f03687b5286d9a82a5.zip
Change-Id: Ia73a4e8c6a2efff2c1d07b195d17529451ca6f95
Diffstat (limited to 'man/dnsmasq.8')
-rw-r--r--man/dnsmasq.8470
1 files changed, 280 insertions, 190 deletions
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index bd99b48..7b0e106 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1,4 +1,4 @@
-.TH DNSMASQ 8
+.TH DNSMASQ 8 2020-04-05
.SH NAME
dnsmasq \- A lightweight DHCP and caching DNS server.
.SH SYNOPSIS
@@ -27,7 +27,7 @@ TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE
.PP
The dnsmasq DHCPv6 server provides the same set of features as the
DHCPv4 server, and in addition, it includes router advertisements and
-a neat feature which allows nameing for clients which use DHCPv4 and
+a neat feature which allows naming for clients which use DHCPv4 and
stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation.
.PP
Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.
@@ -53,13 +53,13 @@ will display DHCPv6 options.
Don't read the hostnames in /etc/hosts.
.TP
.B \-H, --addn-hosts=<file>
-Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read
+Additional hosts file. Read the specified file as well as /etc/hosts. If \fB--no-hosts\fP is given, read
only the specified file. This option may be repeated for more than one
additional hosts file. If a directory is given, then read all the files contained in that directory.
.TP
.B --hostsdir=<path>
Read all the hosts files contained in the directory. New or changed files
-are read automatically. See --dhcp-hostsdir for details.
+are read automatically. See \fB--dhcp-hostsdir\fP for details.
.TP
.B \-E, --expand-hosts
Add the domain to simple names (without a period) in /etc/hosts
@@ -76,7 +76,7 @@ reduce the load on the server at the expense of clients using stale
data under some circumstances.
.TP
.B --dhcp-ttl=<time>
-As for --local-ttl, but affects only replies with information from DHCP leases. If both are given, --dhcp-ttl applies for DHCP information, and --local-ttl for others. Setting this to zero eliminates the effect of --local-ttl for DHCP.
+As for \fB--local-ttl\fP, but affects only replies with information from DHCP leases. If both are given, \fB--dhcp-ttl\fP applies for DHCP information, and \fB--local-ttl\fP for others. Setting this to zero eliminates the effect of \fB--local-ttl\fP for DHCP.
.TP
.B --neg-ttl=<time>
Negative replies from upstream servers normally contain time-to-live
@@ -115,7 +115,7 @@ don't change user id, generate a complete cache dump on receipt on
SIGUSR1, log to stderr as well as syslog, don't fork new processes
to handle TCP queries. Note that this option is for use in debugging
only, to stop dnsmasq daemonising in production, use
-.B -k.
+.B --keep-in-foreground.
.TP
.B \-q, --log-queries
Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie
@@ -156,7 +156,7 @@ can be over-ridden with this switch.
.TP
.B \-g, --group=<groupname>
Specify the group which dnsmasq will run
-as. The defaults to "dip", if available, to facilitate access to
+as. The default is "dip", if available, to facilitate access to
/etc/ppp/resolv.conf which is not normally world readable.
.TP
.B \-v, --version
@@ -191,7 +191,6 @@ Dnsmasq picks random ports as source for outbound queries:
when this option is given, the ports used will always be lower
than that specified. Useful for systems behind firewalls.
.TP
-
.B \-i, --interface=<interface name>
Listen only on the specified interface(s). Dnsmasq automatically adds
the loopback (local) interface to the list of interfaces to use when
@@ -232,7 +231,7 @@ options always override the others. The comments about interface labels for
.B --listen-address
apply here.
.TP
-.B --auth-server=<domain>,<interface>|<ip-address>
+.B --auth-server=<domain>,[<interface>|<ip-address>...]
Enable DNS authoritative mode for queries arriving at an interface or address. Note that the interface or address
need not be mentioned in
.B --interface
@@ -245,13 +244,13 @@ specified interface. The <domain> is the "glue record". It should
resolve in the global DNS to an A and/or AAAA record which points to
the address dnsmasq is listening on. When an interface is specified,
it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6
-addresses associated with the interface.
+addresses associated with the interface. Since any defined authoritative zones are also available as part of the normal recusive DNS service supplied by dnsmasq, it can make sense to have an --auth-server declaration with no interfaces or address, but simply specifying the primary external nameserver.
.TP
.B --local-service
Accept DNS queries only from hosts whose address is on a local subnet,
ie a subnet for which an interface exists on the server. This option
-only has effect if there are no --interface --except-interface,
---listen-address or --auth-server options. It is intended to be set as
+only has effect if there are no \fB--interface\fP, \fB--except-interface\fP,
+\fB--listen-address\fP or \fB--auth-server\fP options. It is intended to be set as
a default on installation, to allow unconfigured installations to be
useful but also safe from being used for DNS amplification attacks.
.TP
@@ -294,10 +293,10 @@ addresses appear, it automatically listens on those (subject to any
access-control configuration). This makes dynamically created
interfaces work in the same way as the default. Implementing this
option requires non-standard networking APIs and it is only available
-under Linux. On other platforms it falls-back to --bind-interfaces mode.
+under Linux. On other platforms it falls-back to \fB--bind-interfaces\fP mode.
.TP
.B \-y, --localise-queries
-Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was
+Return answers to DNS queries from /etc/hosts and \fB--interface-name\fP which depend on the interface over which the query was
received. If a name has more than one address associated with
it, and at least one of those addresses is on the same subnet as the
interface to which the query was sent, then return only the
@@ -367,6 +366,14 @@ been built with DBus support. If the service name is given, dnsmasq
provides service at that name, rather than the default which is
.B uk.org.thekelleys.dnsmasq
.TP
+.B --enable-ubus[=<service-name>]
+Enable dnsmasq UBus interface. It sends notifications via UBus on
+DHCPACK and DHCPRELEASE events. Furthermore it offers metrics.
+Requires that dnsmasq has been built with UBus support. If the service
+name is given, dnsmasq provides service at that namespace, rather than
+the default which is
+.B dnsmasq
+.TP
.B \-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers
it knows about and tries to favour servers that are known to
@@ -391,18 +398,20 @@ were previously disabled.
.TP
.B --stop-dns-rebind
Reject (and log) addresses from upstream nameservers which are in the
-private IP ranges. This blocks an attack where a browser behind a
-firewall is used to probe machines on the local network.
+private ranges. This blocks an attack where a browser behind a
+firewall is used to probe machines on the local network. For IPv6, the
+private range covers the IPv4-mapped addresses in private space plus
+all link-local (LL) and site-local (ULA) addresses.
.TP
.B --rebind-localhost-ok
-Exempt 127.0.0.0/8 from rebinding checks. This address range is
+Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is
returned by realtime black hole servers, so blocking it may disable
these services.
.TP
.B --rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
Do not detect and block dns-rebind on queries to these domains. The
argument may be either a single domain, or multiple domains surrounded
-by '/', like the --server syntax, eg.
+by '/', like the \fB--server\fP syntax, eg.
.B --rebind-domain-ok=/domain1/domain2/domain3/
.TP
.B \-n, --no-poll
@@ -419,16 +428,15 @@ Tells dnsmasq to never forward A or AAAA queries for plain names, without dots
or domain parts, to upstream nameservers. If the name is not known
from /etc/hosts or DHCP then a "not found" answer is returned.
.TP
-.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
+.B \-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<source-ip>|<interface>[#<port>]]
Specify IP address of upstream servers directly. Setting this flag does
-not suppress reading of /etc/resolv.conf, use -R to do that. If one or
-more
+not suppress reading of /etc/resolv.conf, use \fB--no-resolv\fP to do that. If one or more
optional domains are given, that server is used only for those domains
and they are queried only using the specified server. This is
intended for private nameservers: if you have a nameserver on your
network which deals with names of the form
xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag
-.B -S /internal.thekelleys.org.uk/192.168.1.1
+.B --server=/internal.thekelleys.org.uk/192.168.1.1
will send all queries for
internal machines to that nameserver, everything else will go to the
servers in /etc/resolv.conf. DNSSEC validation is turned off for such
@@ -440,7 +448,7 @@ has the special meaning of "unqualified names only" ie names without any
dots in them. A non-standard port may be specified as
part of the IP
address using a # character.
-More than one -S flag is allowed, with
+More than one \fB--server\fP flag is allowed, with
repeated domain or ipaddr parts as required.
More specific domains take precedence over less specific domains, so:
@@ -460,9 +468,9 @@ flag which gives a domain but no IP address; this tells dnsmasq that
a domain is local and it may answer queries from /etc/hosts or DHCP
but should never forward queries on that domain to any upstream
servers.
-.B local
+.B --local
is a synonym for
-.B server
+.B --server
to make configuration files clearer in this case.
IPv6 addresses may include an %interface scope-id, eg
@@ -481,7 +489,7 @@ source address specified but the port may be specified directly as
part of the source address. Forcing queries to an interface is not
implemented on all platforms supported by dnsmasq.
.TP
-.B --rev-server=<ip-address>/<prefix-len>,<ipaddr>[#<port>][@<source-ip>|<interface>[#<port>]]
+.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]]
This is functionally the same as
.B --server,
but provides some syntactic sugar to make specifying address-to-name queries easier. For example
@@ -493,7 +501,7 @@ is exactly equivalent to
Specify an IP address to return for any host in the given domains.
Queries in the domains are never forwarded and always replied to
with the specified IP address which may be IPv4 or IPv6. To give
-both IPv4 and IPv6 addresses for a domain, use repeated \fB-A\fP flags.
+both IPv4 and IPv6 addresses for a domain, use repeated \fB--address\fP flags.
To include multiple IP addresses for a single query, use
\fB--addn-hosts=<path>\fP instead.
Note that /etc/hosts and DHCP leases override this for individual
@@ -507,7 +515,12 @@ upstream nameserver by a more specific \fB--server\fP directive. As for
\fB--server\fP, one or more domains with no address returns a
no-such-domain answer, so \fB--address=/example.com/\fP is equivalent to
\fB--server=/example.com/\fP and returns NXDOMAIN for example.com and
-all its subdomains.
+all its subdomains. An address specified as '#' translates to the NULL
+address of 0.0.0.0 and its IPv6 equivalent of :: so
+\fB--address=/example.com/#\fP will return NULL addresses for example.com and
+its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP
+and \fB--address=/example.com/::\fP but is also more efficient than including both
+as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves.
.TP
.B --ipset=/<domain>[/<domain>...]/<ipset>[,<ipset>...]
Places the resolved IP addresses of queries for one or more domains in
@@ -523,7 +536,7 @@ for more details.
.B \-m, --mx-host=<mx name>[[,<hostname>],<preference>]
Return an MX record named <mx name> pointing to the given hostname (if
given), or
-the host specified in the --mx-target switch
+the host specified in the \fB--mx-target\fP switch
or, if that switch is not given, the host on which dnsmasq
is running. The default is useful for directing mail from systems on a LAN
to a central server. The preference value is optional, and defaults to
@@ -531,7 +544,7 @@ to a central server. The preference value is optional, and defaults to
.TP
.B \-t, --mx-target=<hostname>
Specify the default target for the MX record returned by dnsmasq. See
---mx-host. If --mx-target is given, but not --mx-host, then dnsmasq
+\fB--mx-host\fP. If \fB--mx-target\fP is given, but not \fB--mx-host\fP, then dnsmasq
returns a MX record containing the MX target for MX queries on the
hostname of the machine on which dnsmasq is running.
.TP
@@ -540,7 +553,7 @@ Return an MX record pointing to itself for each local
machine. Local machines are those in /etc/hosts or with DHCP leases.
.TP
.B \-L, --localmx
-Return an MX record pointing to the host given by mx-target (or the
+Return an MX record pointing to the host given by \fB--mx-target\fP (or the
machine on which dnsmasq is running) for each
local machine. Local machines are those in /etc/hosts or with DHCP
leases.
@@ -560,22 +573,22 @@ all that match are returned.
Add A, AAAA and PTR records to the DNS. This adds one or more names to
the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may
appear in more than one
-.B host-record
+.B --host-record
and therefore be assigned more than one address. Only the first
address creates a PTR record linking the address to the name. This is
the same rule as is used reading hosts-files.
-.B host-record
+.B --host-record
options are considered to be read before host-files, so a name
appearing there inhibits PTR-record creation if it appears in
hosts-file also. Unlike hosts-files, names are not expanded, even when
-.B expand-hosts
+.B --expand-hosts
is in effect. Short and long names may appear in the same
-.B host-record,
+.B --host-record,
eg.
.B --host-record=laptop,laptop.thekelleys.org,192.168.0.1,1234::100
If the time-to-live is given, it overrides the default, which is zero
-or the value of --local-ttl. The value is a positive integer and gives
+or the value of \fB--local-ttl\fP. The value is a positive integer and gives
the time-to-live in seconds.
.TP
.B \-Y, --txt-record=<name>[[,<text>],<text>]
@@ -590,20 +603,20 @@ Return a PTR DNS record.
.B --naptr-record=<name>,<order>,<preference>,<flags>,<service>,<regexp>[,<replacement>]
Return an NAPTR DNS record, as specified in RFC3403.
.TP
+.B --caa-record=<name>,<flags>,<tag>,<value>
+Return a CAA DNS record, as specified in RFC6844.
+.TP
.B --cname=<cname>,[<cname>,]<target>[,<TTL>]
Return a CNAME record which indicates that <cname> is really
-<target>. There are significant limitations on the target; it must be a
-DNS name which is known to dnsmasq from /etc/hosts (or additional
-hosts files), from DHCP, from --interface-name or from another
-.B --cname.
-If the target does not satisfy this
-criteria, the whole cname is ignored. The cname must be unique, but it
+<target>. There is a significant limitation on the target; it must be a
+DNS record which is known to dnsmasq and NOT a DNS record which comes from
+an upstream server. The cname must be unique, but it
is permissible to have more than one cname pointing to the same target. Indeed
it's possible to declare multiple cnames to a target in a single line, like so:
.B --cname=cname1,cname2,target
If the time-to-live is given, it overrides the default, which is zero
-or the value of -local-ttl. The value is a positive integer and gives
+or the value of \fB--local-ttl\fP. The value is a positive integer and gives
the time-to-live in seconds.
.TP
.B --dns-rr=<name>,<RR-number>,[<hex data>]
@@ -624,7 +637,7 @@ matching PTR record is also created, mapping the interface address to
the name. More than one name may be associated with an interface
address by repeating the flag; in that case the first instance is used
for the reverse address-to-name mapping. Note that a name used in
---interface-name may not appear in /etc/hosts.
+\fB--interface-name\fP may not appear in /etc/hosts.
.TP
.B --synth-domain=<domain>,<address range>[,<prefix>[*]]
Create artificial A/AAAA and PTR records for an address range. The
@@ -647,6 +660,13 @@ V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are ha
The address range can be of the form
<ip address>,<ip address> or <ip address>/<netmask> in both forms of the option.
.TP
+.B --dumpfile=<path/to/file>
+Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end.
+.TP
+.B --dumpmask=<mask>
+Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask
+representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation.
+.TP
.B --add-mac[=base64|text]
Add the MAC address of the requestor to DNS queries which are
forwarded upstream. This may be used to DNS filtering by the upstream
@@ -655,11 +675,11 @@ subnet as the dnsmasq server. Note that the mechanism used to achieve this (an E
is not yet standardised, so this should be considered
experimental. Also note that exposing MAC addresses in this way may
have security and privacy implications. The warning about caching
-given for --add-subnet applies to --add-mac too. An alternative encoding of the
+given for \fB--add-subnet\fP applies to \fB--add-mac\fP too. An alternative encoding of the
MAC, as base64, is enabled by adding the "base64" parameter and a human-readable encoding of hex-and-colons is enabled by added the "text" parameter.
.TP
.B --add-cpe-id=<string>
-Add an arbitrary identifying string to o DNS queries which are
+Add an arbitrary identifying string to DNS queries which are
forwarded upstream.
.TP
.B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
@@ -685,7 +705,7 @@ will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
.TP
.B \-c, --cache-size=<cachesize>
-Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
+Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
.TP
.B \-N, --no-negcache
Disable negative caching. Negative caching allows dnsmasq to remember
@@ -712,10 +732,7 @@ permitted to reduce the cache size below the default when DNSSEC is
enabled. The nameservers upstream of dnsmasq must be DNSSEC-capable,
ie capable of returning DNSSEC records with data. If they are not,
then dnsmasq will not be able to determine the trusted status of
-answers. In the default mode, this means that all replies will be
-marked as untrusted. If
-.B --dnssec-check-unsigned
-is set and the upstream servers don't support DNSSEC, then DNS service will be entirely broken.
+answers and this means that DNS service will be entirely broken.
.TP
.B --trust-anchor=[<class>],<domain>,<key-tag>,<algorithm>,<digest-type>,<digest>
Provide DS records to act a trust anchors for DNSSEC
@@ -724,17 +741,19 @@ key(s) (KSK) of the root zone,
but trust anchors for limited domains are also possible. The current
root-zone trust anchors may be downloaded from https://data.iana.org/root-anchors/root-anchors.xml
.TP
-.B --dnssec-check-unsigned
-As a default, dnsmasq does not check that unsigned DNS replies are
-legitimate: they are assumed to be valid and passed on (without the
+.B --dnssec-check-unsigned[=no]
+As a default, dnsmasq checks that unsigned DNS replies are
+legitimate: this entails possible extra queries even for the majority of DNS
+zones which are not, at the moment, signed. If
+.B --dnssec-check-unsigned=no
+appears in the configuration, then such replies they are assumed to be valid and passed on (without the
"authentic data" bit set, of course). This does not protect against an
attacker forging unsigned replies for signed DNS zones, but it is
-fast. If this flag is set, dnsmasq will check the zones of unsigned
-replies, to ensure that unsigned replies are allowed in those
-zones. The cost of this is more upstream queries and slower
-performance. See also the warning about upstream servers in the
-section on
-.B --dnssec
+fast.
+
+Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used
+.B --dnssec-check-unsigned
+to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring.
.TP
.B --dnssec-no-timecheck
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an
@@ -747,19 +766,22 @@ which have not been thoroughly checked.
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation.
-If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
+If dnsmasq is run in debug mode (\fB--no-daemon\fP flag) then SIGINT retains its usual meaning of terminating the dnsmasq process.
.TP
.B --dnssec-timestamp=<path>
-Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the
+Enables an alternative way of checking the validity of the system time for DNSSEC (see \fB--dnssec-no-timecheck\fP). In this case, the
system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and
its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried
over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the
unprivileged user that dnsmasq runs as.
.TP
.B --proxy-dnssec
-Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an
+Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients. This is an
alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between
-dnsmasq and the upstream servers, and the trustworthiness of the upstream servers.
+dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. Note that caching the
+Authenticated Data bit correctly in all cases is not technically possible. If the AD bit is to be relied upon
+when using this option, then the cache should be disabled using --cache-size=0. In most cases, enabling DNSSEC validation
+within dnsmasq is a better option. See --dnssec for details.
.TP
.B --dnssec-debug
Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries,
@@ -783,7 +805,7 @@ interface addresses may be confined to only IPv6 addresses using
an interface has dynamically determined global IPv6 addresses which should
appear in the zone, but RFC1918 IPv4 addresses which should not.
Interface-name and address-literal subnet specifications may be used
-freely in the same --auth-zone declaration.
+freely in the same \fB--auth-zone\fP declaration.
It's possible to exclude certain IP addresses from responses. It can be
used, to make sure that answers contain only global routeable IP
@@ -810,8 +832,13 @@ authoritative zones as dnsmasq.
.B --auth-peer=<ip-address>[,<ip-address>[,<ip-address>...]]
Specify the addresses of secondary servers which are allowed to
initiate zone transfer (AXFR) requests for zones for which dnsmasq is
-authoritative. If this option is not given, then AXFR requests will be
-accepted from any secondary.
+authoritative. If this option is not given but --auth-sec-servers is,
+then AXFR requests will be
+accepted from any secondary. Specifying
+.B --auth-peer
+without
+.B --auth-sec-servers
+enables zone transfer but does not advertise the secondary in NS records returned by dnsmasq.
.TP
.B --conntrack
Read the Linux connection track mark associated with incoming DNS
@@ -821,7 +848,7 @@ associated with the queries which cause it, useful for bandwidth
accounting and firewalling. Dnsmasq must have conntrack support
compiled in and the kernel must have conntrack support
included and configured. This option cannot be combined with
---query-port.
+.B --query-port.
.TP
.B \-F, --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]
.TP
@@ -830,11 +857,11 @@ included and configured. This option cannot be combined with
Enable the DHCP server. Addresses will be given out from the range
<start-addr> to <end-addr> and from statically defined addresses given
in
-.B dhcp-host
+.B --dhcp-host
options. If the lease time is given, then leases
will be given for that length of time. The lease time is in seconds,
or minutes (eg 45m) or hours (eg 1h) or "infinite". If not given,
-the default lease time is one hour. The
+the default lease time is one hour for IPv4 and one day for IPv6. The
minimum lease time is two minutes. For IPv6 ranges, the lease time
maybe "deprecated"; this sets the preferred lifetime sent in a DHCP
lease or router advertisement to zero, which causes clients to use
@@ -849,7 +876,7 @@ agent, dnsmasq cannot determine the netmask itself, so it should be
specified, otherwise dnsmasq will have to guess, based on the class (A, B or
C) of the network address. The broadcast address is
always optional. It is always
-allowed to have more than one dhcp-range in a single subnet.
+allowed to have more than one \fB--dhcp-range\fP in a single subnet.
For IPv6, the parameters are slightly different: instead of netmask
and broadcast address, there is an optional prefix length which must
@@ -873,7 +900,7 @@ then deleted. The interface name may have a final "*" wildcard. Note
that just any address on eth0 will not do: it must not be an
autoconfigured or privacy address, or be deprecated.
-If a dhcp-range is only being used for stateless DHCP and/or SLAAC,
+If a \fB--dhcp-range\fP is only being used for stateless DHCP and/or SLAAC,
then the address can be simply ::
.B --dhcp-range=::,constructor:eth0
@@ -882,7 +909,7 @@ then the address can be simply ::
The optional
.B set:<tag>
sets an alphanumeric label which marks this network so that
-dhcp options may be specified on a per-network basis.
+DHCP options may be specified on a per-network basis.
When it is prefixed with 'tag:' instead, then its meaning changes from setting
a tag to matching it. Only one tag may be set, but more than one tag
may be matched.
@@ -892,7 +919,7 @@ The optional <mode> keyword may be
which tells dnsmasq to enable DHCP for the network specified, but not
to dynamically allocate IP addresses: only hosts which have static
addresses given via
-.B dhcp-host
+.B --dhcp-host
or from /etc/ethers will be served. A static-only subnet with address
all zeros may be used as a "catch-all" address to enable replies to all
Information-request packets on a subnet which is provided with
@@ -903,9 +930,9 @@ For IPv4, the <mode> may be
.B proxy
in which case dnsmasq will provide proxy-DHCP on the specified
subnet. (See
-.B pxe-prompt
+.B --pxe-prompt
and
-.B pxe-service
+.B --pxe-service
for details.)
For IPv6, the mode may be some combination of
@@ -953,7 +980,7 @@ is also included, as described in RFC-3775 section 7.3.
tells dnsmasq to advertise the prefix without the on-link (aka L) bit set.
.TP
-.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
+.B \-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][tag:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]
Specify per host parameters for the DHCP server. This allows a machine
with a particular hardware address to be always allocated the same
hostname, IP address and lease time. A hostname specified like this
@@ -971,10 +998,10 @@ dnsmasq to always allocate the machine lap the IP address
192.168.0.199.
Addresses allocated like this are not constrained to be
-in the range given by the --dhcp-range option, but they must be in
+in the range given by the \fB--dhcp-range\fP option, but they must be in
the same subnet as some valid dhcp-range. For
subnets which don't need a pool of dynamically allocated addresses,
-use the "static" keyword in the dhcp-range declaration.
+use the "static" keyword in the \fB--dhcp-range\fP declaration.
It is allowed to use client identifiers (called client
DUID in IPv6-land) rather than
@@ -985,13 +1012,20 @@ allowed to specify the client ID as text, like this:
.B --dhcp-host=id:clientidastext,.....
A single
-.B dhcp-host
-may contain an IPv4 address or an IPv6 address, or both. IPv6 addresses must be bracketed by square brackets thus:
+.B --dhcp-host
+may contain an IPv4 address or one or more IPv6 addresses, or both. IPv6 addresses must be bracketed by square brackets thus:
.B --dhcp-host=laptop,[1234::56]
IPv6 addresses may contain only the host-identifier part:
.B --dhcp-host=laptop,[::56]
-in which case they act as wildcards in constructed dhcp ranges, with
-the appropriate network part inserted.
+in which case they act as wildcards in constructed DHCP ranges, with
+the appropriate network part inserted. For IPv6, an address may include a prefix length:
+.B --dhcp-host=laptop,[1234:50/126]
+which (in this case) specifies four addresses, 1234::50 to 1234::53. This (an the ability
+to specify multiple addresses) is useful
+when a host presents either a consistent name or hardware-ID, but varying DUIDs, since it allows
+dnsmasq to honour the static address allocation but assign a different adddress for each DUID. This
+typically occurs when chain netbooting, as each stage of the chain gets in turn allocates an address.
+
Note that in IPv6 DHCP, the hardware address may not be
available, though it normally is for direct-connected clients, or
clients using DHCP relays which support RFC 6939.
@@ -1006,7 +1040,7 @@ allocated to a DHCP lease, but only if a
.B --dhcp-host
option specifying the name also exists. Only one hostname can be
given in a
-.B dhcp-host
+.B --dhcp-host
option, but aliases are possible by using CNAMEs. (See
.B --cname
).
@@ -1021,16 +1055,19 @@ useful when there is another DHCP server on the network which should
be used by some machines.
The set:<tag> construct sets the tag
-whenever this dhcp-host directive is in use. This can be used to
+whenever this \fB--dhcp-host\fP directive is in use. This can be used to
selectively send DHCP options just for this host. More than one tag
-can be set in a dhcp-host directive (but not in other places where
+can be set in a \fB--dhcp-host\fP directive (but not in other places where
"set:<tag>" is allowed). When a host matches any
-dhcp-host directive (or one implied by /etc/ethers) then the special
+\fB--dhcp-host\fP directive (or one implied by /etc/ethers) then the special
tag "known" is set. This allows dnsmasq to be configured to
ignore requests from unknown machines using
.B --dhcp-ignore=tag:!known
-If the host matches only a dhcp-host directive which cannot
+If the host matches only a \fB--dhcp-host\fP directive which cannot
be used because it specifies an address on different subnet, the tag "known-othernet" is set.
+
+The tag:<tag> construct filters which dhcp-host directives are used. Tagged directives are used in preference to untagged ones.
+
Ethernet addresses (but not client-ids) may have
wildcard bytes, so for example
.B --dhcp-host=00:20:e0:3b:13:*,ignore
@@ -1062,23 +1099,23 @@ has both wired and wireless interfaces.
Read DHCP host information from the specified file. If a directory
is given, then read all the files contained in that directory. The file contains
information about one host per line. The format of a line is the same
-as text to the right of '=' in --dhcp-host. The advantage of storing DHCP host information
+as text to the right of '=' in \fB--dhcp-host\fP. The advantage of storing DHCP host information
in this file is that it can be changed without re-starting dnsmasq:
the file will be re-read when dnsmasq receives SIGHUP.
.TP
.B --dhcp-optsfile=<path>
Read DHCP option information from the specified file. If a directory
is given, then read all the files contained in that directory. The advantage of
-using this option is the same as for --dhcp-hostsfile: the
-dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
+using this option is the same as for \fB--dhcp-hostsfile\fP: the
+\fB--dhcp-optsfile\fP will be re-read when dnsmasq receives SIGHUP. Note that
it is possible to encode the information in a
.B --dhcp-boot
flag as DHCP options, using the options names bootfile-name,
server-ip-address and tftp-server. This allows these to be included
-in a dhcp-optsfile.
+in a \fB--dhcp-optsfile\fP.
.TP
.B --dhcp-hostsdir=<path>
-This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
+This is equivalent to \fB--dhcp-hostsfile\fP, except for the following. The path MUST be a
directory, and not an individual file. Changed or new files within
the directory are read automatically, without the need to send SIGHUP.
If a file is deleted or changed after it has been read by dnsmasq, then the
@@ -1086,7 +1123,7 @@ host record it contained will remain until dnsmasq receives a SIGHUP, or
is restarted; ie host records are only added dynamically.
.TP
.B --dhcp-optsdir=<path>
-This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
+This is equivalent to \fB--dhcp-optsfile\fP, with the differences noted for \fB--dhcp-hostsdir\fP.
.TP
.B \-Z, --read-ethers
Read /etc/ethers for information about hosts for the DHCP server. The
@@ -1157,12 +1194,12 @@ a literal IP address as TFTP server name, it is necessary to do
.B --dhcp-option=66,"1.2.3.4"
Encapsulated Vendor-class options may also be specified (IPv4 only) using
---dhcp-option: for instance
+\fB--dhcp-option\fP: for instance
.B --dhcp-option=vendor:PXEClient,1,0.0.0.0
sends the encapsulated vendor
class-specific option "mftp-address=0.0.0.0" to any client whose
vendor-class matches "PXEClient". The vendor-class matching is
-substring based (see --dhcp-vendorclass for details). If a
+substring based (see \fB--dhcp-vendorclass\fP for details). If a
vendor-class option (number 60) is sent by dnsmasq, then that is used
for selecting encapsulated options in preference to any sent by the
client. It is
@@ -1175,7 +1212,7 @@ Options may be encapsulated (IPv4 only) within other options: for instance
will send option 175, within which is the option 190. If multiple
options are given which are encapsulated with the same option number
then they will be correctly combined into one encapsulated option.
-encap: and vendor: are may not both be set in the same dhcp-option.
+encap: and vendor: are may not both be set in the same \fB--dhcp-option\fP.
The final variant on encapsulated options is "Vendor-Identifying
Vendor Options" as specified by RFC3925. These are denoted like this:
@@ -1197,7 +1234,7 @@ needed, for example when sending options to PXELinux.
.B --dhcp-no-override
(IPv4 only) Disable re-use of the DHCP servername and filename fields as extra
option space. If it can, dnsmasq moves the boot server and filename
-information (from dhcp-boot) out of their dedicated fields into
+information (from \fB--dhcp-boot\fP) out of their dedicated fields into
DHCP options. This make extra space available in the DHCP packet for
options but can, rarely, confuse old or broken clients. This flag
forces "simple and safe" behaviour to avoid problems in such a case.
@@ -1207,7 +1244,7 @@ Configure dnsmasq to do DHCP relay. The local address is an address
allocated to an interface on the host running dnsmasq. All DHCP
requests arriving on that interface will we relayed to a remote DHCP
server at the server address. It is possible to relay from a single local
-address to multiple remote servers by using multiple dhcp-relay
+address to multiple remote servers by using multiple \fB--dhcp-relay\fP
configs with the same local address and different server
addresses. A server address must be an IP literal address, not a
domain name. In the case of DHCPv6, the server address may be the
@@ -1216,8 +1253,8 @@ must be given, not be wildcard, and is used to direct the multicast to the
correct interface to reach the DHCP server.
Access control for DHCP clients has the same rules as for the DHCP
-server, see --interface, --except-interface, etc. The optional
-interface name in the dhcp-relay config has a different function: it
+server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional
+interface name in the \fB--dhcp-relay\fP config has a different function: it
controls on which interface DHCP replies from the server will be
accepted. This is intended for configurations which have three
interfaces: one being relayed from, a second connecting the DHCP
@@ -1239,7 +1276,7 @@ Map from a vendor-class string to a tag. Most DHCP clients provide a
"vendor class" which represents, in some sense, the type of host. This option
maps vendor classes to tags, so that DHCP options may be selectively delivered
to different classes of hosts. For example
-.B dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
+.B --dhcp-vendorclass=set:printers,Hewlett-Packard JetDirect
will allow options to be set only for HP printers like so:
.B --dhcp-option=tag:printers,3,192.168.4.4
The vendor-class string is
@@ -1274,8 +1311,8 @@ normally given as colon-separated hex, but is also allowed to be a
simple string. If an exact match is achieved between the circuit or
agent ID and one provided by a relay agent, the tag is set.
-.B dhcp-remoteid
-(but not dhcp-circuitid) is supported in IPv6.
+.B --dhcp-remoteid
+(but not \fB--dhcp-circuitid\fP) is supported in IPv6.
.TP
.B --dhcp-subscrid=set:<tag>,<subscriber-id>
(IPv4 and IPv6) Map from RFC3993 subscriber-id relay agent options to tags.
@@ -1286,9 +1323,9 @@ a DHCP interaction to the DHCP server. Once a client is configured, it
communicates directly with the server. This is undesirable if the
relay agent is adding extra information to the DHCP packets, such as
that used by
-.B dhcp-circuitid
+.B --dhcp-circuitid
and
-.B dhcp-remoteid.
+.B --dhcp-remoteid.
A full relay implementation can use the RFC 5107 serverid-override
option to force the DHCP server to use the relay as a full proxy, with all
packets passing through it. This flag provides an alternative method
@@ -1304,12 +1341,10 @@ the option is sent and matches the value. The value may be of the form
"01:ff:*:02" in which case the value must match (apart from wildcards)
but the option sent may have unmatched data past the end of the
value. The value may also be of the same form as in
-.B dhcp-option
+.B --dhcp-option
in which case the option sent is treated as an array, and one element
must match, so
-
---dhcp-match=set:efi-ia32,option:client-arch,6
-
+.B --dhcp-match=set:efi-ia32,option:client-arch,6
will set the tag "efi-ia32" if the the number 6 appears in the list of
architectures sent by the client in option 93. (See RFC 4578 for
details.) If the value is a string, substring matching is used.
@@ -1318,14 +1353,17 @@ The special form with vi-encap:<enterprise number> matches against
vendor-identifying vendor classes for the specified enterprise. Please
see RFC 3925 for more details of these rare and interesting beasts.
.TP
+.B --dhcp-name-match=set:<tag>,<name>[*]
+Set the tag if the given name is supplied by a DHCP client. There may be a single trailing wildcard *, which has the usual meaning. Combined with dhcp-ignore or dhcp-ignore-names this gives the ability to ignore certain clients by name, or disallow certain hostnames from being claimed by a client.
+.TP
.B --tag-if=set:<tag>[,set:<tag>[,tag:<tag>[,tag:<tag>]]]
Perform boolean operations on tags. Any tag appearing as set:<tag> is set if
all the tags which appear as tag:<tag> are set, (or unset when tag:!<tag> is used)
If no tag:<tag> appears set:<tag> tags are set unconditionally.
Any number of set: and tag: forms may appear, in any order.
-Tag-if lines are executed in order, so if the tag in tag:<tag> is a
+\fB--tag-if\fP lines are executed in order, so if the tag in tag:<tag> is a
tag set by another
-.B tag-if,
+.B --tag-if,
the line which sets the tag must precede the one which tests it.
.TP
.B \-J, --dhcp-ignore=tag:<tag>[,tag:<tag>]
@@ -1334,10 +1372,10 @@ not allocate it a DHCP lease.
.TP
.B --dhcp-ignore-names[=tag:<tag>[,tag:<tag>]]
When all the given tags appear in the tag set, ignore any hostname
-provided by the host. Note that, unlike dhcp-ignore, it is permissible
+provided by the host. Note that, unlike \fB--dhcp-ignore\fP, it is permissible
to supply no tags, in which case DHCP-client supplied hostnames
are always ignored, and DHCP hosts are added to the DNS using only
-dhcp-host configuration in dnsmasq and the contents of /etc/hosts and
+\fB--dhcp-host\fP configuration in dnsmasq and the contents of /etc/hosts and
/etc/ethers.
.TP
.B --dhcp-generate-names=tag:<tag>[,tag:<tag>]
@@ -1382,10 +1420,16 @@ address, and setting this flag enables this mode. Note that in the
sequential mode, clients which allow a lease to expire are much more
likely to move IP address; for this reason it should not be generally used.
.TP
+.B --dhcp-ignore-clid
+Dnsmasq is reading 'client identifier' (RFC 2131) option sent by clients
+(if available) to identify clients. This allow to serve same IP address
+for a host using several interfaces. Use this option to disable 'client identifier'
+reading, i.e. to always identify a host using the MAC address.
+.TP
.B --pxe-service=[tag:<tag>,]<CSA>,<menu text>[,<basename>|<bootservicetype>][,<server address>|<server_name>]
Most uses of PXE boot-ROMS simply allow the PXE
system to obtain an IP address and then download the file specified by
-.B dhcp-boot
+.B --dhcp-boot
and execute it. However the PXE system is capable of more complex
functions when supported by a suitable DHCP server.
@@ -1397,7 +1441,7 @@ integer may be used for other types. The
parameter after the menu text may be a file name, in which case dnsmasq acts as a
boot server and directs the PXE client to download the file by TFTP,
either from itself (
-.B enable-tftp
+.B --enable-tftp
must be set for this to work) or another TFTP server if the final server
address/name is given.
Note that the "layer"
@@ -1419,23 +1463,23 @@ timeout is given then after the
timeout has elapsed with no keyboard input, the first available menu
option will be automatically executed. If the timeout is zero then the first available menu
item will be executed immediately. If
-.B pxe-prompt
+.B --pxe-prompt
is omitted the system will wait for user input if there are multiple
items in the menu, but boot immediately if
there is only one. See
-.B pxe-service
+.B --pxe-service
for details of menu items.
Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on
the network is responsible for allocating IP addresses, and dnsmasq
simply provides the information given in
-.B pxe-prompt
+.B --pxe-prompt
and
-.B pxe-service
+.B --pxe-service
to allow netbooting. This mode is enabled using the
.B proxy
keyword in
-.B dhcp-range.
+.B --dhcp-range.
.TP
.B \-X, --dhcp-lease-max=<number>
Limits dnsmasq to the specified maximum number of DHCP leases. The
@@ -1452,6 +1496,13 @@ allows dnsmasq to rebuild its lease database without each client needing to
reacquire a lease, if the database is lost. For DHCPv6 it sets the
priority in replies to 255 (the maximum) instead of 0 (the minimum).
.TP
+.B --dhcp-rapid-commit
+Enable DHCPv4 Rapid Commit Option specified in RFC 4039. When enabled, dnsmasq
+will respond to a DHCPDISCOVER message including a Rapid Commit
+option with a DHCPACK including a Rapid Commit option and fully committed
+address and configuration information. Should only be enabled if either the
+server is the only server for the subnet, or multiple servers are present and they each commit a binding for all clients.
+.TP
.B --dhcp-alternate-port[=<server port>[,<client port>]]
(IPv4 only) Change the ports used for DHCP from the default. If this option is
given alone, without arguments, it changes the ports used for DHCP
@@ -1481,8 +1532,8 @@ the tags used to determine them.
.TP
.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra
Suppress logging of the routine operation of these protocols. Errors and
-problems will still be logged. --quiet-dhcp and quiet-dhcp6 are
-over-ridden by --log-dhcp.
+problems will still be logged. \fB--quiet-dhcp\fP and quiet-dhcp6 are
+over-ridden by \fB--log-dhcp\fP.
.TP
.B \-l, --dhcp-leasefile=<path>
Use the specified file to store DHCP lease information.
@@ -1508,7 +1559,8 @@ address of the host (or DUID for IPv6) , the IP address, and the hostname,
if known. "add" means a lease has been created, "del" means it has
been destroyed, "old" is a notification of an existing lease when
dnsmasq starts or a change to MAC address or hostname of an existing
-lease (also, lease length or expiry and client-id, if leasefile-ro is set).
+lease (also, lease length or expiry and client-id, if \fB--leasefile-ro\fP is set
+and lease expiry if \fB--script-on-renewal\fP is set).
If the MAC address is from a network type other than ethernet,
it will have the network type prepended, eg "06-01:23:45:67:89:ab" for
token ring. The process is run as root (assuming that dnsmasq was originally run as
@@ -1682,7 +1734,7 @@ and
Specify the user as which to run the lease-change script or Lua script. This defaults to root, but can be changed to another user using this flag.
.TP
.B --script-arp
-Enable the "arp" and "arp-old" functions in the dhcp-script and dhcp-luascript.
+Enable the "arp" and "arp-old" functions in the \fB--dhcp-script\fP and \fB--dhcp-luascript\fP.
.TP
.B \-9, --leasefile-ro
Completely suppress use of the lease database file. The file will not
@@ -1698,6 +1750,10 @@ stdout and exit with zero exit code. Setting this
option also forces the leasechange script to be called on changes
to the client-id and lease length and expiry time.
.TP
+.B --script-on-renewal
+Call the DHCP script when the lease expiry time changes, for instance when the
+lease is renewed.
+.TP
.B --bridge-interface=<interface>,<alias>[,<alias>]
Treat DHCP (v4 and v6) requests and IPv6 Router Solicit packets
arriving at any of the <alias> interfaces as if they had arrived at
@@ -1707,9 +1763,39 @@ OpenStack compute host where each such interface is a TAP interface to
a VM, or as in "old style bridging" on BSD platforms. A trailing '*'
wildcard can be used in each <alias>.
-It is permissible to add more than one alias using more than one --bridge-interface option since
---bridge-interface=int1,alias1,alias2 is exactly equivalent to
---bridge-interface=int1,alias1 --bridge-interface=int1,alias2
+It is permissible to add more than one alias using more than one \fB--bridge-interface\fP option since
+\fB--bridge-interface=int1,alias1,alias2\fP is exactly equivalent to
+\fB--bridge-interface=int1,alias1 --bridge-interface=int1,alias2\fP
+.TP
+.B --shared-network=<interface>,<addr>
+.PD 0
+.TP
+.B --shared-network=<addr>,<addr>
+.PD 1v
+The DHCP server determines which DHCP ranges are useable for allocating an
+address to a DHCP client based on the network from which the DHCP request arrives,
+and the IP configuration of the server's interface on that network. The shared-network
+option extends the available subnets (and therefore DHCP ranges) beyond the
+subnets configured on the arrival interface.
+
+The first argument is either the
+name of an interface, or an address that is configured on a local interface, and the
+second argument is an address which defines another subnet on which addresses can be allocated.
+
+To be useful, there must be a suitable dhcp-range which allows address allocation on this subnet
+and this dhcp-range MUST include the netmask.
+
+Using shared-network also needs extra
+consideration of routing. Dnsmasq does not have the usual information that it uses to
+determine the default route, so the default route option (or other routing) MUST be
+configured manually. The client must have a route to the server: if the two-address form
+of shared-network is used, this needs to be to the first specified address. If the interface,address
+form is used, there must be a route to all of the addresses configured on the interface.
+
+The two-address form of shared-network is also usable with a DHCP relay: the first address
+is the address of the relay and the second, as before, specifies an extra subnet which
+addresses may be allocated from.
+
.TP
.B \-s, --domain=<domain>[,<address range>[,local]]
Specifies DNS domains for the DHCP server. Domains may be be given
@@ -1718,7 +1804,7 @@ firstly it causes the DHCP server to return the domain to any hosts
which request it, and secondly it sets the domain which it is legal
for DHCP-configured hosts to claim. The intention is to constrain
hostnames so that an untrusted host on the LAN cannot advertise
-its name via dhcp as e.g. "microsoft.com" and capture traffic not
+its name via DHCP as e.g. "microsoft.com" and capture traffic not
meant for it. If no domain suffix is specified, then any DHCP
hostname with a domain part (ie with a period) will be disallowed
and logged. If suffix is specified, then hostnames with a domain
@@ -1740,11 +1826,11 @@ which can change the behaviour of dnsmasq with domains.
If the address range is given as ip-address/network-size, then a
additional flag "local" may be supplied which has the effect of adding
---local declarations for forward and reverse DNS queries. Eg.
+\fB--local\fP declarations for forward and reverse DNS queries. Eg.
.B --domain=thekelleys.org.uk,192.168.0.0/24,local
is identical to
.B --domain=thekelleys.org.uk,192.168.0.0/24
---local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
+.B --local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/
The network size must be 8, 16 or 24 for this to be legal.
.TP
.B --dhcp-fqdn
@@ -1779,7 +1865,7 @@ discovery and (possibly) prefix discovery for autonomous address
creation are handled by a different protocol. When DHCP is in use,
only a subset of this is needed, and dnsmasq can handle it, using
existing DHCP configuration to provide most data. When RA is enabled,
-dnsmasq will advertise a prefix for each dhcp-range, with default
+dnsmasq will advertise a prefix for each \fB--dhcp-range\fP, with default
router as the relevant link-local address on
the machine running dnsmasq. By default, the "managed address" bits are set, and
the "use SLAAC" bit is reset. This can be changed for individual
@@ -1799,7 +1885,7 @@ The interval between router advertisements may be set (in seconds) with
.B --ra-param=eth0,60.
The lifetime of the route may be changed or set to zero, which allows
a router to advertise prefixes but not a route via itself.
-.B --ra-parm=eth0,0,0
+.B --ra-param=eth0,0,0
(A value of zero for the interval means the default value.) All four parameters may be set at once.
.B --ra-param=eth0,mtu:1280,low,60,1200
@@ -1809,7 +1895,7 @@ The mtu: parameter may be an arbitrary interface name, in which case the MTU val
for (eg) advertising the MTU of a WAN interface on the other interfaces of a router.
.TP
.B --dhcp-reply-delay=[tag:<tag>,]<integer>
-Delays sending DHCPOFFER and proxydhcp replies for at least the specified number of seconds.
+Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds.
This can be used as workaround for bugs in PXE boot firmware that does not function properly when
receiving an instant reply.
This option takes into account the time already spent waiting (e.g. performing ping check) if any.
@@ -1834,9 +1920,9 @@ Do not abort startup if specified tftp root directories are inaccessible.
.TP
.B --tftp-unique-root[=ip|mac]
Add the IP or hardware address of the TFTP client as a path component on the end
-of the TFTP-root. Only valid if a tftp-root is set and the directory exists.
+of the TFTP-root. Only valid if a \fB--tftp-root\fP is set and the directory exists.
Defaults to adding IP address (in standard dotted-quad format).
-For instance, if tftp-root is "/tftp" and client 1.2.3.4 requests file "myfile"
+For instance, if \fB--tftp-root\fP is "/tftp" and client 1.2.3.4 requests file "myfile"
then the effective path will be "/tftp/1.2.3.4/myfile" if /tftp/1.2.3.4 exists or /tftp/myfile otherwise.
When "=mac" is specified it will append the MAC address instead, using lowercase zero padded digits
separated by dashes, e.g.: 01-02-03-04-aa-bb
@@ -1846,12 +1932,12 @@ a DHCP lease from us.
.B --tftp-secure
Enable TFTP secure mode: without this, any file which is readable by
the dnsmasq process under normal unix access-control rules is
-available via TFTP. When the --tftp-secure flag is given, only files
+available via TFTP. When the \fB--tftp-secure\fP flag is given, only files
owned by the user running the dnsmasq process are accessible. If
-dnsmasq is being run as root, different rules apply: --tftp-secure
+dnsmasq is being run as root, different rules apply: \fB--tftp-secure\fP
has no effect, but only files which have the world-readable bit set
are accessible. It is not recommended to run dnsmasq as root with TFTP
-enabled, and certainly not without specifying --tftp-root. Doing so
+enabled, and certainly not without specifying \fB--tftp-root\fP. Doing so
can expose any world-readable file on the server to any host on the net.
.TP
.B --tftp-lowercase
@@ -1889,10 +1975,16 @@ specifies a range of ports for use by TFTP transfers. This can be
useful when TFTP has to traverse a firewall. The start of the range
cannot be lower than 1025 unless dnsmasq is running as root. The number
of concurrent TFTP connections is limited by the size of the port range.
-.TP
+.TP
+.B --tftp-single-port
+Run in a mode where the TFTP server uses ONLY the well-known port (69) for its end
+of the TFTP transfer. This allows TFTP to work when there in NAT is the path between client and server. Note that
+this is not strictly compliant with the RFCs specifying the TFTP protocol: use at your own risk.
+.TP
.B \-C, --conf-file=<file>
-Specify a different configuration file. The conf-file option is also allowed in
-configuration files, to include multiple configuration files. A
+Specify a configuration file. The presence of this option stops dnsmasq from reading the default configuration
+file (normally /etc/dnsmasq.conf). Multiple files may be specified by repeating the option
+either on the command line or in configuration files. A
filename of "-" causes dnsmasq to read configuration from stdin.
.TP
.B \-7, --conf-dir=<directory>[,<file-extension>......],
@@ -1904,12 +1996,12 @@ which have that extension are loaded. So
.B --conf-dir=/path/to/dir,*.conf
loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command
line or in a configuration file. If giving it on the command line, be sure to
-escape * characters.
+escape * characters. Files are loaded in alphabetical order of filename.
.TP
.B --servers-file=<file>
A special case of
.B --conf-file
-which differs in two respects. Firstly, only --server and --rev-server are allowed
+which differs in two respects. Firstly, only \fB--server\fP and \fB--rev-server\fP are allowed
in the configuration file included. Secondly, the file is re-read and the configuration
therein is updated when dnsmasq receives SIGHUP.
.SH CONFIG FILE
@@ -1919,9 +2011,9 @@ if it exists. (On
FreeBSD, the file is
.I /usr/local/etc/dnsmasq.conf
) (but see the
-.B \-C
+.B \--conf-file
and
-.B \-7
+.B \--conf-dir
options.) The format of this
file consists of one option per line, exactly as the long options detailed
in the OPTIONS section but without the leading "--". Lines starting with # are comments and ignored. For
@@ -1937,9 +2029,9 @@ clears its cache and then re-loads
.I /etc/hosts
and
.I /etc/ethers
-and any file given by --dhcp-hostsfile, --dhcp-hostsdir, --dhcp-optsfile,
---dhcp-optsdir, --addn-hosts or --hostsdir.
-The dhcp lease change script is called for all
+and any file given by \fB--dhcp-hostsfile\fP, \fB--dhcp-hostsdir\fP, \fB--dhcp-optsfile\fP,
+\fB--dhcp-optsdir\fP, \fB--addn-hosts\fP or \fB--hostsdir\fP.
+The DHCP lease change script is called for all
existing DHCP leases. If
.B
--no-poll
@@ -1958,7 +2050,7 @@ misses and the number of authoritative queries answered are also given. For each
server it gives the number of queries sent, and the number which
resulted in an error. In
.B --no-daemon
-mode or when full logging is enabled (-q), a complete dump of the
+mode or when full logging is enabled (\fB--log-queries\fP), a complete dump of the
contents of the cache is made.
The cache statistics are also available in the DNS as answers to
@@ -2039,7 +2131,7 @@ using
options or put their addresses real in another file, say
.I /etc/resolv.dnsmasq
and run dnsmasq with the
-.B \-r /etc/resolv.dnsmasq
+.B \--resolv-file /etc/resolv.dnsmasq
option. This second technique allows for dynamic update of the server
addresses by PPP or DHCP.
.PP
@@ -2057,67 +2149,66 @@ the CNAME is shadowed too.
The tag system works as follows: For each DHCP request, dnsmasq
collects a set of valid tags from active configuration lines which
include set:<tag>, including one from the
-.B dhcp-range
+.B --dhcp-range
used to allocate the address, one from any matching
-.B dhcp-host
-(and "known" or "known-othernet" if a dhcp-host matches)
+.B --dhcp-host
+(and "known" or "known-othernet" if a \fB--dhcp-host\fP matches)
The tag "bootp" is set for BOOTP requests, and a tag whose name is the
name of the interface on which the request arrived is also set.
Any configuration lines which include one or more tag:<tag> constructs
will only be valid if all that tags are matched in the set derived
-above. Typically this is dhcp-option.
-.B dhcp-option
+above. Typically this is \fB--dhcp-option\fP.
+.B --dhcp-option
which has tags will be used in preference to an untagged
-.B dhcp-option,
+.B --dhcp-option,
provided that _all_ the tags match somewhere in the
set collected as described above. The prefix '!' on a tag means 'not'
-so --dhcp-option=tag:!purple,3,1.2.3.4 sends the option when the
+so \fB--dhcp-option=tag:!purple,3,1.2.3.4\fP sends the option when the
tag purple is not in the set of valid tags. (If using this in a
command line rather than a configuration file, be sure to escape !,
which is a shell metacharacter)
-When selecting dhcp-options, a tag from dhcp-range is second class
+When selecting \fB--dhcp-options\fP, a tag from \fB--dhcp-range\fP is second class
relative to other tags, to make it easy to override options for
individual hosts, so
-.B dhcp-range=set:interface1,......
-.B dhcp-host=set:myhost,.....
-.B dhcp-option=tag:interface1,option:nis-domain,"domain1"
-.B dhcp-option=tag:myhost,option:nis-domain,"domain2"
+.B --dhcp-range=set:interface1,......
+.B --dhcp-host=set:myhost,.....
+.B --dhcp-option=tag:interface1,option:nis-domain,"domain1"
+.B --dhcp-option=tag:myhost,option:nis-domain,"domain2"
will set the NIS-domain to domain1 for hosts in the range, but
override that to domain2 for a particular host.
.PP
Note that for
-.B dhcp-range
+.B --dhcp-range
both tag:<tag> and set:<tag> are allowed, to both select the range in
-use based on (eg) dhcp-host, and to affect the options sent, based on
+use based on (eg) \fB--dhcp-host\fP, and to affect the options sent, based on
the range selected.
This system evolved from an earlier, more limited one and for backward
compatibility "net:" may be used instead of "tag:" and "set:" may be
omitted. (Except in
-.B dhcp-host,
+.B --dhcp-host,
where "net:" may be used instead of "set:".) For the same reason, '#'
may be used instead of '!' to indicate NOT.
.PP
The DHCP server in dnsmasq will function as a BOOTP server also,
provided that the MAC address and IP address for clients are given,
either using
-.B dhcp-host
+.B --dhcp-host
configurations or in
.I /etc/ethers
, and a
-.B dhcp-range
+.B --dhcp-range
configuration option is present to activate the DHCP server
-on a particular network. (Setting --bootp-dynamic removes the need for
+on a particular network. (Setting \fB--bootp-dynamic\fP removes the need for
static address mappings.) The filename
parameter in a BOOTP request is used as a tag,
as is the tag "bootp", allowing some control over the options returned to
different classes of hosts.
.SH AUTHORITATIVE CONFIGURATION
-.PP
Configuring dnsmasq to act as an authoritative DNS server is
complicated by the fact that it involves configuration of external DNS
servers to provide delegation. We will walk through three scenarios of
@@ -2131,8 +2222,8 @@ for which dnsmasq is authoritative our.zone.com.
The simplest configuration consists of two lines of dnsmasq configuration; something like
.nf
-.B auth-server=server.example.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-server=server.example.com,eth0
+.B --auth-zone=our.zone.com,1.2.3.0/24
.fi
and two records in the external DNS
@@ -2155,8 +2246,8 @@ authoritative zone which dnsmasq is serving, typically at the root. Now
we have
.nf
-.B auth-server=our.zone.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-server=our.zone.com,eth0
+.B --auth-zone=our.zone.com,1.2.3.0/24
.fi
.nf
@@ -2175,25 +2266,25 @@ entry or
.B --host-record.
.nf
-.B auth-server=our.zone.com,eth0
-.B host-record=our.zone.com,1.2.3.4
-.B auth-zone=our.zone.com,1.2.3.0/24
+.B --auth-server=our.zone.com,eth0
+.B --host-record=our.zone.com,1.2.3.4
+.B --auth-zone=our.zone.com,1.2.3.0/24
.fi
If the external address is dynamic, the address
associated with our.zone.com must be derived from the address of the
relevant interface. This is done using
-.B interface-name
+.B --interface-name
Something like:
.nf
-.B auth-server=our.zone.com,eth0
-.B interface-name=our.zone.com,eth0
-.B auth-zone=our.zone.com,1.2.3.0/24,eth0
+.B --auth-server=our.zone.com,eth0
+.B --interface-name=our.zone.com,eth0
+.B --auth-zone=our.zone.com,1.2.3.0/24,eth0
.fi
-(The "eth0" argument in auth-zone adds the subnet containing eth0's
-dynamic address to the zone, so that the interface-name returns the
+(The "eth0" argument in \fB--auth-zone\fP adds the subnet containing eth0's
+dynamic address to the zone, so that the \fB--interface-name\fP returns the
address in outside queries.)
Our final configuration builds on that above, but also adds a
@@ -2204,7 +2295,7 @@ secondary is beyond the scope of this man-page, but the extra
configuration of dnsmasq is simple:
.nf
-.B auth-sec-servers=secondary.myisp.com
+.B --auth-sec-servers=secondary.myisp.com
.fi
and
@@ -2218,13 +2309,13 @@ secondary to collect the DNS data. If you wish to restrict this data
to particular hosts then
.nf
-.B auth-peer=<IP address of secondary>
+.B --auth-peer=<IP address of secondary>
.fi
will do so.
Dnsmasq acts as an authoritative server for in-addr.arpa and
-ip6.arpa domains associated with the subnets given in auth-zone
+ip6.arpa domains associated with the subnets given in \fB--auth-zone\fP
declarations, so reverse (address to name) lookups can be simply
configured with a suitable NS record, for instance in this example,
where we allow 1.2.3.0/24 addresses.
@@ -2241,8 +2332,8 @@ secondary servers for reverse lookups.
When dnsmasq is configured to act as an authoritative server, the
following data is used to populate the authoritative zone.
.PP
-.B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record
-, as long as the record names are in the authoritative domain.
+.B --mx-host, --srv-host, --dns-rr, --txt-record, --naptr-record, --caa-record,
+as long as the record names are in the authoritative domain.
.PP
.B --cname
as long as the record name is in the authoritative domain. If the
@@ -2250,7 +2341,7 @@ target of the CNAME is unqualified, then it is qualified with the
authoritative zone name. CNAME used in this way (only) may be wildcards, as in
.nf
-.B cname=*.example.com,default.example.com
+.B --cname=*.example.com,default.example.com
.fi
.PP
@@ -2287,7 +2378,6 @@ used, and must match the zone's domain.
.SH EXIT CODES
-.PP
0 - Dnsmasq successfully forked into the background, or terminated
normally if backgrounding is not enabled.
.PP